BYOVD (Vulnerable Driver) × Zemana AntiMalware

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Zemana AntiMalware, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zemana AntiMalware

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

poc

Disclosed

2023-06-15

Config / version noted

Not stated

Provenance

voidsec.com
disclosed 2023-06-15 · original source · via exa

Reported as

CVE-2023-36204 grants unrestricted disk read/write through IOCTLs 0x80002014 and 0x80002018, allowing sensitive file disclosure or system compromise.

Mechanism

The driver fails to set an appropriate security descriptor on its device object, allowing any user to communicate with it. After registering via IOCTL 0x80002010, an attacker can use IOCTL 0x8000204C to obtain a handle to a privileged process for code injection, or use IOCTLs 0x80002014/0x80002018 to perform arbitrary SCSI read/write operations on the disk.

Detection & mitigation

Monitor for the loading of known vulnerable drivers like zamguard64.sys or zam64.sys using Sysmon Event ID 6 (driver loaded) or EDR telemetry, and block them via Windows Defender Application Control (WDAC) or vulnerable driver blocklist policies. Ensure endpoint protection platforms flag or prevent IOCTL communication with such drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.